Skip to content

Commit

Permalink
Properly encode query parameters during injection attempts
Browse files Browse the repository at this point in the history
  • Loading branch information
@labkey-tchad
labkey-tchad committed Feb 28, 2025
1 parent f9b82b3 commit 5f33bd4
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions src/org/labkey/test/util/Crawler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.AbstractMap;
Expand Down Expand Up @@ -1355,9 +1354,8 @@ private void testInjection(URL start)
List<Map.Entry<String,String>> injectParams = new ArrayList<>(params);
//noinspection SuspiciousListRemoveInLoop
injectParams.remove(i);
String xss = (random.nextInt()%2)==0 ? injectScriptBlock : injectAttributeScript;
xss = URLEncoder.encode(xss, StandardCharsets.UTF_8);
String paramMalicious = key + "=" + xss;
String xssValue = (random.nextInt()%2)==0 ? injectScriptBlock : injectAttributeScript;
String paramMalicious = EscapeUtil.encode(key) + "=" + EscapeUtil.encode(xssValue);
String queryMalicious = paramMalicious + "&" + queryStringFromEntries(injectParams);
String urlMalicious = base + "?" + queryMalicious;
try
Expand Down

0 comments on commit 5f33bd4

Please sign in to comment.